curl-users
Re: How to disable SNI for https requests
Date: Mon, 18 Dec 2017 00:30:22 -0500
On 12/17/2017 10:21 PM, Ram Subramanian via curl-users wrote:
> I'm trying to make an https request to an IP address and it fails
> because the common name of the certificate doesn't match the hostname.
> After some googling I found that the --resolve option lets me specify
> the hostname for that IP and pass this check.
>
> My problem now - the host I make the request to then redirects me to
> another host, by IP... and you guessed it, the SNI check now fails for
> the second host.
>
> I've tried to provide an additional --resolve option for the second
> host, but that doesn't work, and expectedly so.
>
> Seems to me the only way to handle this would be to disable SNI - is
> there any way to do this with curl?
What do you mean by SNI check fails?
Sometimes to access a server you have to send the hostname via SNI since
if that server is hosting multiple virtual servers it needs to know
which certificate to give you, and/or what origin server to possibly
connect to (the latter may also be done through the host header).
SNI is not sent for IP addresses, so if curl is following redirects
(-L,--location [1]) and it's given an IP address then no SNI is sent. Is
it possible what you are really looking to do is send the SNI with a
hostname of your choice? curl doesn't have a way to do that unless you
handle the redirects manually by usingĀ --write-out "%{redirect_url}" to
get the URL manually, instead of --location to retrieve it
automatically. Then you would rewrite the URL to use the hostname you want.
If I misunderstand this please give more information including your curl -V.
[1]: https://curl.haxx.se/docs/manpage.html#-L
[2]: https://curl.haxx.se/docs/manpage.html#-w
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-18